The ‘Penquin’ Turla

A Turla/Snake/Uroburos Malware for Linux

Recently, an interesting malicious sample was uploaded to a multi-scanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle. That puzzle is “Turla”, one of the most complex APTs in the world.

So far, every single Turla sample we’ve encountered was designed for the Microsoft Windows family, 32 and 64 bit operating systems. The newly discovered Turla sample is unusual in the fact that it’s the first Turla sample targeting the Linux operating system that we have discovered.

This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.

The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.

Functional description

This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands. It can’t be discovered via netstat, a commonly used administrative tool. It uses techniques that don’t require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.

Startup and Execution

To start execution, the process requires two parameters: ID (a numeric value used as a part of the “magic packet for authentication”) and an existing network interface name. The parameters can be inputted two different ways: from STDIN, or from dropper a launching the sample. This is NOT a command-line parameter, it’s a real prompt asking the attacker user to provide the input parameters. After the ID and interface name are entered and the process launched, the backdoor’s process PID is returned. Here is a screenshot of this simple interface:

While there is no initial network callback, a section of code maintains a hardcoded c2 string “news-bbc.podzone[.]org”. This fully qualified domain name was first set up in 2010, suggesting that this binary is fairly recent in the string of Turla campaigns. Also, while we haven’t seen additional file download activity from this server by this tool, it likely participated as a file server of sorts.

Magic Packets for Remote Command Execution

The module statically links PCAP libraries, and uses this code to get a raw socket, applies a filter on it, and captures packets, checking for a specific condition (the *original cd00r first used this method, based on ports and SYN-packets). This condition is expressed here (it is based on the ID value input at startup by the attacker):

In simple terms, it checks for an ACK number in the TCP header, or the second byte from the UDP packet body.

If such a packet is received and the condition check is successful, execution jumps to the packet payload contents, and it creates a regular socket. The backdoor handles this socket as a file with read/write operations. It’s not the typical recv/send used in this code. It uses this new socket to connect to the source address of the “magic packets”. Then it reports its own PID and IP to the remote address, and starts an endless loop for receiving remote commands. When a command arrives, it is executed with a “/bin/sh -c ” script.

Further analysis of the sample’s functionality will be updated here.

Conclusions

Although Linux variants from the Turla framework were known to exist, we haven’t seen any in the wild yet.

This specific module appears to have been put together from public sources with some added functionality from the attackers. Some of the malicious code appears to be inactive, perhaps leftovers from older versions of the implant. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity.

The discovery of this Turla module rises one big question: how many other unknown Turla variants exist?

Update: Since the publishing of this blogpost, we have discovered another Linux Turla module, which apparently represents a different malware generation than the previously known samples:

The new sample was heuristically detected by our product due to similarities with the previously discovered samples.

Your best bet would be to blackhole the domain listed as hardcoded C&C domain. The IP, in fact, has already changed from what is published here, so trying to blackhole that IP address would be useless. If that domain either resolves to the localhost address, or possibly doesn’t resolve, then as the trojan would be unable to contact its C&C host, it would presumably shut down, or, at the very least, fail to take any further instructions.

…probably keep with the software updates, as much as possible anyway. The article states that it hasn’t been seen yet “in the wild”, so it probably is most likely not running on your local desktop. That said, should it become something worth worrying about, I’m hoping that there will be some kind of patch or detection mechanism from the usual linux players – Red Hat, Ubuntu, etc.

It seems as a hoax. Be carefull about this hystery. Unless it is verified it means nothing.

Thats only way how to decrease linux market share for servers and growing desktop interest – with FUD and uncertainty.
Yes, linux is much more secure than windows that it is not worth to do antivirus for it. Without viruses lot of companies will loose their job.

You don’t need to be an awk expert to notice that either the web-software or the poster inadvertently created “mixed” quotes. All statements that should be enclosed in a pair of single-quotes seem to be using an opening back-tick and a closing single quote …

@Craig, the command works, but you must change ‘ (u+2018) and ’ (u+2019) to ‘ (simple apostrophe sign) …

but still it needs sudo, because it searches all your data for files of size between 600 and 800 kB and of name containing either 0994d9deb50352e76b0322f48ee576c6 or 14ecd5e6fc8e501037b54ca263896a11 or 19fbd8cbfb12482e8020a887d6427315

It needs to be installed somehow as a kernel module and only a root user can do that. Regular users don’t have the ability to do that. If it’s a system process it doesn’t need “root” because the system is doing it (just like you don’t need “root” to start your computer).

I wonder if they’re using “insmod” to insert the Turla code into kernel space. It would take someone with root access to do that but once it’s in there it needs no escalating and, depending upon the mod code, could pretty much have the run of the system.

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.